There are many professionals who, in our daily lives, convey to the organization the need to carry out an impact assessment related to data protection.EIPD”, in relation to certain processing activities; But, on countless occasions, we find ourselves with the challenge of answering a question that is often repeated in these situations:What is “that” of a DPIA??
To answer this question, the first thing we must know is that the General Data Protection Regulation (GDPR) does not define this term, so there is no single valid definition for said concept.
Thus, if we go to the interpretation of the term made by the GT29, this defines it as “a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons arising from the processing of personal data by evaluating them and determining measures to address them”.
In short, it is a tool that allows the organization to know in depth the context of the treatment activity object of evaluation, as well as assess and reduce all risks associated with it.
Taking the above into consideration, it may seem that carrying out a DPIA is something that should be done for all processing activities carried out by an organization; However, to determine this issue it is necessary to carry out a Previous analysis in which it is determined whether it is carried out or not.
When is it necessary to perform a DPIA?
To determine in which cases a DPIA is appropriate, we must consider, among other criteria, the provisions of art. 35.1 of the GDPR, which establishes that it will be necessary to carry out a DPIA in those cases where a treatment activity is likely to entail a high risk for the rights and freedoms of natural persons.
From this statement, it could be concluded that it will almost always be necessary to carry out a DPIA and that is why special attention should also be paid to section 3 of this article in which the GDPR provides a list of cases in which the completion of the DPIA is mandatory:
- When a systematic and comprehensive evaluation of personal aspects of natural persons that is based on a treatment automated, such as profiling, and on the basis of which decisions are made that produce legal effects for natural persons or that significantly affect them in a similar way. An example can be found in the solvency investigation that a financial institution can carry out on a potential client in a credit reference database, in order to determine whether to grant them a loan.
- In those cases in which there is a large scale treatment of special categories of data or personal data relating to criminal convictions and offences.
- When a systematic large-scale observation of a publicly accessible area, as can happen through the installation of a video surveillance system.
Notwithstanding the above, let us remember that a complete prior analysis must be carried out, referring not only to the cases in which it is mandatory to carry out a DPIA, but will also assess all those characteristics proposed by WG29 in the procedure it proposes for this purpose.
In our next post What is an impact evaluation and when should it be done? (II) We will analyze this procedure along with its characteristics, as well as some additional issues that should be taken into consideration.
If you want to delve deeper into large-scale data processing, check out our previous post here.
If you don't want to miss any of our articles, subscribe now to our weekly newsletter.
